{"id":1161,"date":"2010-12-08T04:01:07","date_gmt":"2010-12-08T12:01:07","guid":{"rendered":"\/?p=1161"},"modified":"2010-12-09T00:59:21","modified_gmt":"2010-12-09T08:59:21","slug":"gov20-and-facebook-%e2%80%98like%e2%80%99-buttons","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1161","title":{"rendered":"Gov2.0 and Facebook \u2018Like\u2019 Buttons"},"content":{"rendered":"

I couldn't agree more with the points made by identity architect James Brown<\/a> in\u00a0a very disturbing piece<\/a>\u00a0he has posted at The Other James Brown<\/a>.\u00a0<\/p>\n

James\u00a0explains how the omnipresent Facebook\u00a0\"\" widget works as a tracking mechanism:\u00a0 if you are a\u00a0Facebook subscriber, then whenever you open a page\u00a0showing the \"\" widget, your visit is reported to<\/em>\u00a0Facebook<\/em>.<\/p>\n

You don't have to do anything whatsoever – or click\u00a0the widget\u00a0–\u00a0to trigger this report.\u00a0\u00a0It is automatic.\u00a0 Nor are\u00a0we talking here about anonymized information or simple IP address collection.\u00a0\u00a0The report contains\u00a0your Facebook identity\u00a0information as well as the\u00a0URL of the page you are looking at.<\/p>\n

If you are familiar with the way advertising beacons operate, your first reaction might be to roll your eyes and yawn.\u00a0 After all,\u00a0tracking beacons are all over the place and we've known about them for years.<\/p>\n

But until recently, government web sites – or private web sites treating sensitive information of any kind – wouldn't be caught dead using\u00a0tracking beacons.\u00a0<\/p>\n

What has changed?\u00a0\u00a0Governments want\u00a0to\u00a0piggyback on the reach of social networks, and show\u00a0they embrace technology evolution.\u00a0 But do they have procedures in place that ensure that the\u00a0mechanisms they adopt are actually safe?\u00a0\u00a0Probably not, if the growing use of the Facebook ‘Like’ button\u00a0on these sites demonstrates. \u00a0I doubt those who inserted the widgets have any idea about how the underlying technology works – or the time or background to evaluate\u00a0it in depth.\u00a0 The result is a really serious privacy violation.<\/p>\n

Governments need to be cautious about embracing\u00a0tracking technology that betrays the trust\u00a0citizens\u00a0put in them.<\/em>\u00a0\u00a0James gives us a good explanation of the\u00a0problem with Facebook widgets.\u00a0 But other equally disturbing threats exist.\u00a0\u00a0For example,\u00a0should governments be developing iPhone applications when to use them, citizens must agree that\u00a0Apple has the right to reveal their phone's identifier and location to anyone\u00a0for any purpose?\u00a0 \u00a0\u00a0<\/em><\/p>\n

In my view,\u00a0data protection authorities are going to have to look hard at emerging technologies and develop guidelines on whether government departments can embrace technologies that endanger the privacy of citizens.<\/p>\n

Let's turn now to\u00a0the details of James’ explanation.\u00a0 He writes:<\/p>\n

I am all for Gov2.0.\u00a0 I think that it can genuinely make a difference and help bring public sector organisations and people closer together and give them new ways of working.\u00a0 However, with it comes responsibility, the public sector needs to understand what it is signing its users up for.\"image\"<\/a><\/p>\n

In my post Insurers use social networking sites to identify risky clients<\/a> last week I mentioned that NHS Choices<\/a> was using a Facebook \u2018Like\u2019 button on its pages and this potentially allows Facebook to track what its users were doing on the site.\u00a0 I have been reading a couple of posts on \u2018Mischa\u2019s ramblings on the interweb<\/a>\u2019 who unearthed this issue here<\/a> and here<\/a> and digging into this a bit further to see for myself, and to be honest I really did not realise how invasive these social widgets can be.<\/p>\n

Many services that government and public sector organisations offer are sensitive and personal. When browsing through public sector web portals I do not expect that other organisations are going to be able to track my visit \u2013 especially organisations such as Facebook which I use to interact with friends, family and colleagues.<\/p>\n

This issue has now been raised by Tom Watson MP, and the response from the Department of Health on this issue of Facebook is:<\/p>\n

\u201cFacebook capturing data from sites like NHS Choices is a result of Facebook\u2019s own system. When users sign up to Facebook they agree Facebook can gather information on their web use. NHS Choices privacy policy, which is on the homepage of the site, makes this clear.\u201d<\/em><\/p>\n

“We advise that people log out of Facebook properly, not just close the window, to ensure no inadvertent data transfer.\u201d<\/em><\/p><\/blockquote>\n

I think this response is wrong on a number of different levels.\u00a0 Firstly at a personal level, when I browse the UK National Health Service web portal to read about health conditions I do not expect them to allow other companies to track that visit; I don't really care what anybody's privacy policy states, I don't expect the NHS to allow Facebook to track my browsing habits on the NHS web site.<\/p>\n

Secondly, I would suggest that the statement \u201cFacebook capturing data from sites like NHS Choices is a result of Facebook\u2019s own system\u201d <\/em>is wrong.\u00a0 Facebook being able to capture data from sites like NHS Choices is a result of NHS Choices adding Facebook's functionality to their site.<\/p>\n

Finally, I don't believe that the “We advise that people log out of Facebook properly, not just close the window, to ensure no inadvertent data transfer.\u201d <\/em>is technically correct.<\/p>\n

(Sorry to non-technical users but it is about to a bit techy\u2026)<\/p>\n

I created a clean Virtual Machine and installed HTTPWatch so I could see the traffic in my browser when I load an NHS Choices page.\u00a0 This machine has never been to Facebook, and definitely never logged into it.\u00a0 When I visit the NHS Choices page on bowel cancer<\/a> the following call is made to Facebook:<\/p>\n

http:\/\/www.facebook.com\/plugins\/like.php?href=http%3A%2F%2Fwww.nhs.uk%2fconditions%2fcancer-of-the-colon-rectum-or-bowel%2fpages%2fintroduction.aspx&layout=button_count&show_faces=true&width=450&action=like&colorscheme=light&height=21<\/a><\/p>\n

\u00a0<\/p>\n

\"AnonFacebook\"<\/a><\/p>\n

So Facebook knows someone has gone to the above page, but does not know who.<\/p>\n

\u00a0<\/p>\n

Now go Facebook and log-in without ticking the \u2018Keep logged in\u2019 checkbox and the following cookie is deposited on my machine with the following 2 fields in it: (added xxxxxxxx to mask the my unique id)<\/p>\n